In July 2023, the PCAOB published the spotlight, “Staff Update and Preview of 2022 Inspection Observations.” The article summarized the PCAOB's common findings from its 2022 inspection season. Many of the findings observed in 2022 continued to be in areas like those reported in the past.¹  

Reoccurring PCAOB findings with an increasing deficiency rate, in 2020, 2021, and 2022, included revenue, business combinations, and inventory.² Critical audit matters (CAMs) and audit committee communications were also areas with a high rate of PCAOB findings, in each of those years.³   

This trend in audit deficiencies likely is an area of concern for many firms, especially in light of the rigorous enforcement posture, which is expected to continue under current leadership at the SEC and PCAOB.⁴ 

Given the importance that audit quality plays in protecting investor interests, as well as the ramifications that poor audit quality can have on audit firms, partners, and others,⁵ this article summarizes the key 2022 inspection findings and suggests actions firms could take to reduce the risk of PCAOB inspection findings and regulatory enforcement actions.  

Primary Reoccurring 2022 PCAOB Findings (Engagement Level)⁶

Common 2022 PCAOB findings included in the PCAOB publication, which were applicable at the engagement level, included the following:

• Revenue and Related Accounts: Insufficient responses to significant risks; insufficient sampling; insufficient confirmation procedures; insufficient testing of data used in software-assisted analyses; insufficient evaluation of relationships in substantive analytical procedures; and insufficient review procedures performed by a control owner.
• Accounting Estimates⁷: No risk assessment related to significant assumptions; no substantive procedures beyond inquiry; insufficient evaluation of assumptions; insufficient evaluation of management’s intent and ability to carry out actions; insufficient evaluation of differences/conclusions between a company and auditor specialist; and insufficient testing of data used by an auditor's specialist. 
• Business Combinations: Insufficient risk assessment; insufficient testing of completeness and accuracy of disclosures; insufficient evaluation of company’s specialist’s report; insufficient evaluation of auditor specialist’s work; insufficient auditor specialist’s work to evaluate reasonableness of methods, assumptions, and inputs; insufficient evaluation of departures from accounting standards; and insufficient evaluation of contradictory evidence. 
• Inventory: Insufficient testing of physical counts; unsupported reliance on controls (cycle counts); insufficient testing of accuracy and completeness of reports used in substantive procedures; and insufficient testing of conversion factors to determine inventory quantity; insufficient testing of presentation and disclosures whether in conformity with accounting standards.
• Long-Lived Assets: No or insufficient risk assessment; inappropriate basis that no risk exists; insufficient procedures to use work of company’s specialist; insufficient assessment of whether material weaknesses existed; and insufficient substantive testing as control reliance not supported; insufficient evaluation of management’s intent and ability to carry out course of action related to assumption.
   
• Internal Controls Over Financial Reporting (ICFR): Failure to evaluate review procedures performed by control owners; not identifying and testing important controls, and not sufficiently testing accuracy and completeness of data used in control.
   
• Cryptocurrency Transactions: Not evaluating whether the omission or inaccuracies of disclosures for revenue was appropriate; not assessing the appropriateness of mining revenue recognition; not evaluating the classification of digital assets as current; and not evaluating quantity and pricing information used to recognize mining revenue. 
• CAMs: Procedures to determine whether or not matters were CAMs did not include every matter that was communicated or was required to be communicated, to the audit committee, and that related to accounts or disclosures that were material. 
• Audit Committee Communications: Not communicating all required communications; identified material weaknesses; evaluation of company’s ability to continue as a going concern; uncorrected and corrected misstatements; and evaluation of company’s identification, accounting, and disclosure regarding related parties.
• Fraud Considerations: Not testing journal entries (required audit procedure); not testing completeness of population used to select journal entries for testing; and not considering characteristics of potential fraudulent entries in identifying and selecting journal entries for testing. 
• Form AP: Inaccurate information (company name, CIK number, information about other firms); late filings; and omitted information.

Primary 2022 PCAOB Findings (Firm Level)⁸

Common 2022 PCAOB findings included in the PCAOB publication, which were applicable at the firm level, included the following: 

• Independence: SEC violations of financial relationship requirements of Rule 2-01 of SEC Regulation S-X, including financial relationships, employment relationships, business relationships, non-audit services, contingent fees, and audit committee administration of the engagement.
• Engagement Quality Review (EQR): EQR not performed; EQR not performed with due care; EQRs did not have sufficient competence; no evidence in identifying documents reviewed by the EQR; and permission granted to use auditor report before EQR provided concurring approval.
• Monitoring: Firms did not have a system of quality control in place, including policies and procedures related to monitoring; firms did not perform internal inspections as their system of quality control indicated; and or firm inspection programs were not effective as the PCAOB identified deficiencies in areas that were also reviewed by firms’ monitoring activities, which did not identify the deficiencies.
• State Practice Qualification Requirements: Firms performed audits of companies in jurisdictions where the audit firm was not registered or licensed to practice.

Actions Firms Can Take to Improve Audit Quality and Reduce the Risk of Frequent PCAOB Inspection Findings and Regulatory Enforcement Actions

Even though there are many different steps audit firms could take to improve audit quality, the following is our list of  the top 10 areas firms could consider enhancing in order to improve audit quality and reduce the risk of frequent PCAOB findings and SEC or PCAOB enforcement actions⁹:

1. Tone at The Top: Improving audit quality starts with setting the right tone at the top. Leadership should set an example for audit quality through actions and behaviors, not mere words. Without “buy-in” from leadership, other actions will likely be less effective. This can be demonstrated in different ways, including communicating the importance of audit quality in leadership messaging, disseminating lessons learned from internal/external inspection findings, investing in training in key areas (including common PCAOB findings), investing in other resources (hiring the right people, engaging outside consultants), and providing incentives to professionals for positive audit results.
2. Due Professional Care: Due professional care is fundamental to any audit and is a commonly cited audit violation in SEC and PCAOB enforcement actions.¹⁰ Cultivating a culture of professional skepticism is critical, but do professionals at your firm understand what it means to exercise due professional care and skepticism? Firms should consider incorporating professional skepticism throughout their quality control documents, audit methodologies, guides, and practice aids and supplement it with robust professional skepticism training to ensure professionals maintain an appropriate levels of knowledge, skills (technical competence), and abilities. Such actions can be reinforced by early partner involvement (and coaching) on individual audit engagements and by encouraging teams to consult with other skilled professionals or specialists.
    
3. Technical Competence and Industry Experience: Assigning personnel to engagements that have the appropriate industry experience and knowledge of applicable accounting standards (U.S. GAAP) is essential to the performance of audits with due professional care. Firms should assess the technical competence and industry experience of personnel as part of the firm’s client acceptance and continuance process, periodically review client portfolios, and ensure engagement members have sufficient skills and knowledge to effectively serve clients. 
4. Risk Assessment: Performing a robust risk assessment on individual audits is essential to an effective and efficient risk-based audit. Auditors are required to develop audit response(s) to address the identified risks. Insufficient risk assessment procedures can lead to developing insufficient audit responses, or worse, not developing any audit responses. Obtaining a robust understanding of the client, flow of transactions, data and IT systems, and design of controls is paramount and required for integrated and non-integrated audits. We observed that vast opportunities exist for firms to improve the way in which they perform risk assessment procedures. We expect that data analytics and artificial intelligence will play an increasingly important role in firms’ risk assessment procedures.
5. Supervision and Review: In our experience working on SEC and PCAOB enforcement matters, regulators often focus on the sufficiency and adequacy of partner review and supervision on audits, including whether they adequately addressed potentially inconsistent or contradictory evidence (red flags). Early partner involvement during the planning phase, and ongoing supervision and review as audits progress, are essential. Evidence of partner review generally goes beyond signing off on steps in a standardized checklist. Some firms track partner involvement, and audit progress, by establishing key audit milestones or by monitoring audit quality indicators (AQIs). 
6. Intellectual Resources: Firms may develop their audit methodologies or use third-party providers. However, firms should consider enhancing their audit methodology and related audit guides, practice aids, and templates¹¹ (collectively “intellectual resources”), especially in areas subject to common PCAOB inspection findings (as applicable): revenue; estimates; business combinations; long-lived assets; inventory; ICFR; EQR; crypto transactions; CAMs; audit committee communications; and fraud (JE testing). This will provide professionals with clear guidance as they encounter these areas in their audits. Firms can further supplement this by designating a subject matter expert (SME) to each of these areas, with whom others at the firm could consult as questions arise.  
7. Engagement Quality Review: In addition to common 2022 PCAOB findings, the lack of an EQR review or insufficient EQR review is also a common audit violation cited in PCAOB enforcement matters. Firms should establish clear policies and procedures related to EQR reviews, provide robust EQR training, and assign EQR roles to individuals who have the appropriate technical competence and industry experience. As part of efforts to enhance intellectual resources, firms may consider developing forms or templates to assist EQRs in completing effective reviews.

8. Root Cause Analysis (RCA) and Remediation: RCA and remediation are key to continuous audit quality improvement. The performance of a robust RCA and remediation process enables firms to (1) identify potential underlying root causes for identified audit deficiencies¹² — whether from internal inspections, external inspections, and other reviews — and (2) develop tailored remediation actions to help prevent future audit deficiencies and satisfy the PCAOB’s evaluation of the firm’s remediation efforts. This process is important as it can identify additional or other actions beyond the ones included in this article.¹³

9. Monitoring: Monitoring activities such as periodic pre-issuance and post-issuance reviews (internal inspections or practice monitoring) of individual audit files are essential¹⁴, and if performed by a qualified review team, can be powerful in improving audit quality. Yet, the PCAOB identified monitoring as a finding in 2022. When performing such reviews, firms should consider (1) reviewing areas that were subject to frequent PCAOB findings or other areas that are considered higher risk and (2) assessing whether personnel are correctly applying the firm’s remedial actions. For example, are EQRs performing their reviews in accordance with the firm’s established policies and procedures, including related intellectual resources?

10. Ethics and Independence: Adherence to relevant ethical requirements is of paramount importance and auditor independence lies at the core of the audit profession. Auditor independence is more important than ever, especially in light of regulatory enforcement actions, industry consolidation, growth of advisory services, and increasing number of firms entering alternative practice structures.¹⁵ Firms should establish well-designed independence policies and procedures to identify, evaluate, and address any threats to independence (including financial relationships, employment relationships, business relationships, and non-audit services). They should also incorporate ethical requirements into their acceptance and continuance processes as well as training programs to ensure personnel understand the relevant ethical requirements and where they can go to obtain additional guidance.   

^{[1] PCAOB Spotlight Staff Update and Preview of 2022 Inspection Observations, Figure 8, Figure 12.}

^{[2] PCAOB Spotlight Staff Update and Preview of 2022 Inspection Observations, Figure 12.}

^{[3] PCAOB Spotlight Staff Update and Preview of 2022 Inspection Observations, Figure 8.}

^{[4] As we reported in our previous article, regulatory enforcement actions have been increasing in recent years and have carried substantially higher penalties against individuals and firms.}

^{[5] As we reported in our previous article, regulatory enforcement actions have been increasing in recent years and have carried substantially higher penalties against individuals and firms.}

^{[6] Other observations, in the PCAOB Spotlight, included information technology and audit tenure.} 

^{[7] Most of the deficiencies in estimates related to business combinations and goodwill and intangible assets, including other long-lived assets. Other observations related to accruals and allowances, derivatives, equity and equity-related transactions, inventory, investment securities, revenue, and in the assessment and conclusions regarding going concern.}

^{[8] Not all PCAOB spotlight observations are included in this Insight.} 

^{[9] Our Audit Advisory practice developed the list of 10 actions based on collective experience and observations working with firms and as former auditors and regulators. Audit firms might develop additional other actions, based on root cause analysis process.}

^{[10] The Ankura analysis of 2022 SEC and PCAOB enforcement orders.}  

^{[11] With respect to templates, some firms developed templates when testing management review controls (MRC) and when substantively testing management estimates. Effective MRC templates consider the nature and extent of procedures performed by the control owner (including how they identify and address follow up items) and accuracy and completeness of information used in the control. Effective templates when substantively testing management estimates incorporate the following: (1) methodology and assumptions, (2) completeness and accuracy of data used in the estimate, (3) mathematical accuracy of calculations, (4) guidance on how to review specialists’ work, and (5) how to address inconsistent or contradictory audit evidence.}

^{[12] Some firms track and analyze AQIs to identify potential root causes.}

^{[13] Remedial actions can include different actions, including ones included in this article, but could include additional or other actions, which should ultimately be driven by the root causes identified by the firm.}

^{[14] QC Section 30 Monitoring a CPA Firm's Accounting and Auditing Practice.}

^{[15] Statement by Paul Munter, Acting Chief Accountant, Aug. 29, 2022, Auditor Independence and Ethical Responsibilities: Critical Points to Consider When Contemplating an Audit Firm Restructuring.}